Privacy policy

Translation provided for convenience

Only the French version is legally binding. In case of any discrepancy or conflict in interpretation, the French version shall prevail.

View French version

Last updated: March 2026

1. Data controller

HEXAI (SAS with a share capital of EUR 10,000) — 203 Chemin des Vignobles, 74210 Doussard, France.

Contact: contact@tresorus.fr

2. Data collected

In connection with the use of Tresorus, we may collect:

  • Account data (where an account is created): email address, username, postal code
  • Geolocation data (consent required): GPS position only during gameplay, processed in real time and not stored on our servers
  • Progress data: completed trails, badges earned, scores
  • Technical data: device type, operating system, application version
  • Push notification token (optional): only if you enable notifications

3. Purposes and legal bases

  • Performance of the contract: provision of the treasure hunt service (account, progress, badges)
  • Consent: GPS geolocation, push notifications
  • Consent (cookies): audience measurement via analytics cookies (see section 5)

4. Data sharing

Your data is never sold. It may be shared with our technical sub-processors:

  • Supabase (database hosting) — European Union servers
  • Cloudflare (media storage) — global network, protected by Standard Contractual Clauses (SCCs)
  • Vercel (website hosting) — United States, certified under the EU-US Data Privacy Framework
  • PostHog (analytics) — European Union servers, only if you accept analytics cookies
  • Sentry (error monitoring, mobile application) — United States, certified under the EU-US Data Privacy Framework
  • Expo / Google Firebase (push notifications) — United States, certified under the EU-US Data Privacy Framework (Google)

5. Cookies

The Tresorus website uses two types of cookies:

  • Strictly necessary cookies: management of the authentication session (Supabase). These cookies are essential for the operation of the service and do not require your consent.
  • Analytics cookies (PostHog): audience measurement and improvement of the service. These cookies are only set with your prior consent via the cookie banner. You may change your choice at any time:

6. International transfers

Some of your data may be transferred outside the European Union to our sub-processors located in the United States. These transfers are governed by:

  • The EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) for Vercel, Sentry and Google/Firebase
  • Standard Contractual Clauses (SCCs) approved by the European Commission for Cloudflare

Your main data (account, progress, badges) is hosted by Supabase on servers located within the European Union.

7. Retention period

  • Account data: retained as long as the account is active, then deleted after 5 years of inactivity
  • Geolocation data: not retained after the gameplay session
  • Analytics cookies: 13 months maximum

8. Your rights (GDPR)

In accordance with the GDPR, you have the following rights:

  • Access: obtain a copy of your data
  • Rectification: correct inaccurate data
  • Erasure: request the deletion of your data
  • Portability: retrieve your data in a structured format
  • Objection: object to the processing of your data
  • Restriction: request the restriction of processing
  • Withdrawal of consent: withdraw your consent at any time (cookies, notifications, geolocation) without affecting the lawfulness of prior processing

To exercise these rights, please contact us at contact@tresorus.fr. We will respond within 30 days.

9. Complaint

You may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés — French Data Protection Authority).